Ubuntu
apparmor package

More resources must be added into Chromium profile

Bug #1101298 reported by Gökçen Eraslan on 2013-01-18

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	apparmor (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

When I install apparmor-profiles package and set Chromium AppArmor profile to enforce mode, Chromium cannot detect the default browser and claims that it is not the default browser even though I set so. And I see this line in dmesg:

... type=1400 audit(1358526376.204:84): apparmor="DENIED" operation="exec" parent=6216 profile="/usr/lib/chromium-browser/chromium-browser//xdgsettings" name="/usr/bin/gawk" pid=6220 comm="xdg-mime" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0

Now, there is only /usr/bin/mawk line in Chromium apparmor profile but users may use a different implementation thanks to the alternatives system.

In addition, my dmesg is flooded by these lines:

... type=1400 audit(1358527121.548:197): apparmor="DENIED" operation="open" parent=6072 profile="/usr/lib/chromium-browser/chromium-browser" name="/sys/devices/system/cpu/cpu0/cpufreq/cpuinfo_max_freq" pid=8984 comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

It would be nice to see "/sys/devices/system/**/cpufreq/cpuinfo_max_freq r," added to the profile.

My patch regarding the issue is attached.

Tags:

Revision history for this message

Gökçen Eraslan (gkcn) wrote on 2013-01-18:

apparmor.diff Edit (698 bytes, text/plain)

Revision history for this message

Gökçen Eraslan (gkcn) wrote on 2013-01-18:

It seems that adding gawk and cpuinfo_max_freq lines to the profile is not enough, chromium also needs lsb_release command and even more important gnome-control-center command to open up proxy settings.

Maybe its better to add /usr/bin/gnome-control-center in ux Access Mode.

affects:	apparmor → apparmor-profiles
summary:	- Chromium cannot detect the default browser in apparmor enforce mode if - gawk is the default awk + Chromium profile needs more executables to be added

Gökçen Eraslan (gkcn) on 2013-01-18

summary:

- Chromium profile needs more executables to be added
+ More resources must be added into Chromium profile

Revision history for this message

intrigeri (intrigeri) wrote on 2017-06-30:

This bug report is about the custom profile shipped by Ubuntu in their apparmor-profiles package (and nowhere else AFAIK), not about the apparmor-profiles project (yeah, it's confusing, I know).

affects:

apparmor-profiles → apparmor (Ubuntu)

Revision history for this message

Ubuntu Foundations Team Bug Bot (crichton) wrote on 2017-07-01:

The attachment "apparmor.diff" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags:

added: patch

Revision history for this message

Launchpad Janitor (janitor) wrote on 2018-04-19:

This bug was fixed in the package apparmor - 2.12-4ubuntu5

---------------
apparmor (2.12-4ubuntu5) bionic; urgency=medium

  [ Didier Roche ]
  * debian/patches/ubuntu/communitheme-snap-support.patch:
    - support communitheme snap (LP: #1762983)

  [ Jamie Strandboge ]
  * debian/patches/ubuntu/add-chromium-browser.patch: adjust for newer
    chromium (LP: #1101298, LP: #1594589, LP: #1647142)
    - add attach_disconnected
    - allow reading /proc/vmstat
    - don't require owner match for /proc/pid/{stat,status} and task
      counterparts
    - adjust pci[0-9] to be pci[0-9a-f]
    - allow reading all uevents and /sys/devices/virtual/tty/tty0/active
    - allow ptracing xdgsettings and lsb-release
    - xdgsettings uses head and tr and looks at /usr/share/ubuntu/applications/
    - lsb-release uses python 3.6 and looks at apport, apt.conf, dpkg and
      distro-info
    - use 'm' on on sandbox
  * debian/patches/ubuntu/mimeinfo-snap-support.patch: allow reading
    /var/lib/snapd/desktop/applications *.desktop and mimeinfo.cache
    (LP: #1712039)